mcollina/oauth
Implements OAuth 2.0/2.1 authorization flows in Fastify applications — configures authorization code with PKCE, client credentials, device flow, refresh token rotation, JWT validation, and token introspection/revocation endpoints. Use when setting up authentication, authorization, login flows, access tokens, API security, or securing Fastify routes with OAuth; also applies when troubleshooting token validation errors, mismatched redirect URIs, CSRF issues, scope problems, or RFC 6749/6750/7636/8252/8628 compliance questions.
97
97%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that hits all the marks. It provides highly specific capabilities (PKCE, device flow, token rotation, JWT validation), includes a comprehensive 'Use when' clause covering both setup and troubleshooting scenarios, and is clearly scoped to a distinct niche (OAuth in Fastify). The trigger terms cover natural user language from basic ('login flows', 'API security') to advanced (RFC numbers), ensuring broad discoverability without sacrificing precision.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: configures authorization code with PKCE, client credentials, device flow, refresh token rotation, JWT validation, token introspection/revocation endpoints. Very detailed and actionable. | 3 / 3 |
Completeness | Clearly answers both 'what' (implements OAuth flows in Fastify with specific capabilities listed) and 'when' (explicit 'Use when...' clause covering setup scenarios and troubleshooting scenarios). Both halves are thorough. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural terms users would say: 'authentication', 'authorization', 'login flows', 'access tokens', 'API security', 'OAuth', 'PKCE', 'redirect URIs', 'CSRF issues', 'scope problems', plus specific RFC numbers for advanced users. Covers both beginner and expert vocabulary. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive — scoped specifically to OAuth 2.0/2.1 in Fastify applications, which is a clear niche. The combination of framework (Fastify) and domain (OAuth) with specific protocol details makes it very unlikely to conflict with other skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
85%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a strong, well-structured skill that provides executable TypeScript code for implementing OAuth 2.0 in Fastify with clear step-by-step sequencing and validation checkpoints. The progressive disclosure is excellent, keeping the main file focused on the most common flow while pointing to specialized files for other grant types. Minor verbosity in inline comments and some explanatory text that Claude wouldn't need slightly reduces token efficiency.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Generally efficient with good code examples, but includes some unnecessary commentary (e.g., 'never log the raw token', 'Store only what you need') and inline comments that explain things Claude already knows. The security checklist and anti-patterns sections are well-structured but some entries restate common knowledge. | 2 / 3 |
Actionability | Provides fully executable TypeScript code for each step — plugin registration, callback handling, JWT validation middleware, route protection, and refresh token rotation. Code is copy-paste ready with real imports, types, and environment variable patterns. | 3 / 3 |
Workflow Clarity | Clear 6-step sequence with explicit validation checkpoints after steps 2 and 4. Includes a security checklist as a final verification gate, and the refresh token rotation step includes a feedback note about replacing stored tokens. The workflow covers the full lifecycle from install to protected routes. | 3 / 3 |
Progressive Disclosure | The main skill covers the core authorization code + PKCE flow concisely, then clearly signals one-level-deep references to DEVICE_FLOW.md, TOKEN_VALIDATION.md, CLIENT_CREDENTIALS.md, and MOBILE_OAUTH.md for specialized topics. Content is well-split between overview and advanced material. | 3 / 3 |
Total | 11 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
metadata_version | 'metadata.version' is missing | Warning |
Total | 10 / 11 Passed | |
Reviewed
Table of Contents